A hacker with no known precedent has leaked personal information belonging to millions of customers of boAt, an Indian consumer electronics company.
The company is India’s leading manufacturer of wireless audio and wearable devices; According to BoAt, it controlled about 26% of the wearables market as of 2023 IDC data. As of 2022, it sells nearly 40% of all earbuds in the country, more than five times its closest competitor. data from Counterpoint Research.
The threat actors, operating under the nom de guerre “ShopifyGUY,” posted 2 GB worth of files to the Dark Web on April 5, according to reports. The files contained approximately 7.5 million entries personally identifiable information (PII) relating to boAt customers, including names, addresses, phone numbers, emails and more.
The entire lot was put up for sale for around just $2, potentially raising suspicions about the authenticity of the data. However, several media outlets have since contacted samples of affected customers, confirming that their information was correct.
Dark Reading reached out to boAt’s security team to confirm the details of the attack but has not yet received a response.
Prevent customer data leaks
To avoid falling victim to such an attack, Darren Williams, CEO and founder of BlackFog, suggests companies invest in anti-exfiltration tools.
“Anti-data exfiltration is about looking for data coming out of the network and then using it with AI to see if it is a legitimate request,” he explains. Programs trained to do this work work on dozens of contextual and behavioral parameters to distinguish legitimate from illegitimate traffic.
That said, he adds, there are even simpler, low-tech steps companies can take to make simple leaks more complicated.
“In a mature organization,” he explains, “a fundamental requirement is security encryption of data at rest. This way, if someone accesses your database, it doesn’t matter, because they won’t be able to decrypt it anyway. So it fascinates me that, nowadays, people don’t take the basic step of encrypting their database.
“It’s not difficult: it takes 30 seconds, you just press the On button. It makes me think [boAt] He was asleep at the wheel.”